First, it allows root to ignore the

naming conventions. Second, it allows root to always perform any operation on any ccache. Note that root could do this anyway with FILE ccaches git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20470 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-04-20 10:41:11 +00:00
parent 4caa3f6d2c
commit b22da5088e
3 changed files with 31 additions and 7 deletions
--- a/kcm/acl.c
+++ b/kcm/acl.c
@@ -93,12 +93,13 @@ kcm_access(krb5_context context,

    mask = 0;

-    if (client->uid == ccache->uid) {
+    /* Root may do whatever they like */
+    if (client->uid == ccache->uid || CLIENT_IS_ROOT(client)) {
 	if (read_p)
 	    mask |= S_IRUSR;
 	if (write_p)
 	    mask |= S_IWUSR;
-    } else if (client->gid == ccache->gid) {
+    } else if (client->gid == ccache->gid || CLIENT_IS_ROOT(client->uid)) {
 	if (read_p)
 	    mask |= S_IRGRP;
 	if (write_p)
--- a/kcm/client.c
+++ b/kcm/client.c
@@ -31,6 +31,7 @@
 */

 #include "kcm_locl.h"
+#include <pwd.h>

 RCSID("$Id$");

@@ -116,17 +117,18 @@ kcm_ccache_new_client(krb5_context context,
 		bad = 0;
 	}

-	if (bad)
+	/* Allow root to create badly-named ccaches */
+	if (bad && CLIENT_IS_ROOT(client))
 	    return KRB5_CC_BADNAME;
    }
 	
    ret = kcm_ccache_resolve(context, name, &ccache);
    if (ret == 0) {
-	if (ccache->uid != client->uid ||
-	    ccache->gid != client->gid)
+	if ((ccache->uid != client->uid ||
+	     ccache->gid != client->gid) && !CLIENT_IS_ROOT(client))
 	    return KRB5_FCC_PERM;
-    } else if (ret != KRB5_FCC_NOFILE) {
-	return ret;
+    } else if (ret != KRB5_FCC_NOFILE && !(CLIENT_IS_ROOT(client) && ret == KRB5_FCC_PERM)) {
+		return ret;
    }

    if (ret == KRB5_FCC_NOFILE) {
@@ -158,6 +160,25 @@ kcm_ccache_new_client(krb5_context context,
 	return ret;
    }

+    /* 
+     * Finally, if the user is root and the cache was created under
+     * another user's name, chown the cache to that user and their
+     * default gid.
+     */
+    if (CLIENT_IS_ROOT(client)) {
+	uid_t uid;
+	int matches = sscanf(name,"%ld:",&uid);
+	if (matches == 0)
+	    matches = sscanf(name,"%ld",&uid);
+	if (matches == 1) {
+	    struct passwd *pwd = getpwuid(uid);
+	    if (pwd != NULL) {
+		gid_t gid = pwd->pw_gid;
+		kcm_chown(context, client, ccache, uid, gid);
+	    }
+	}
+    }
+    
    *ccache_p = ccache;
    return 0;
 }
--- a/kcm/kcm_locl.h
+++ b/kcm/kcm_locl.h
@@ -140,6 +140,8 @@ typedef struct kcm_client {
    gid_t gid;
 } kcm_client;

+#define CLIENT_IS_ROOT(client) ((client)->uid == 0)
+
 /* Dispatch table */
 /* passed in OPERATION | ... ; returns STATUS | ... */
 typedef krb5_error_code (*kcm_method)(krb5_context, kcm_client *, kcm_operation, krb5_storage *, krb5_storage *);